DependencyCheck Regarding the tool tagging the spring-core library version as vulnerable even if it's higher than 5.3.16

Regarding the tool tagging the spring-core library version as vulnerable even if it's higher than 5.3.16

Open Mridula03g opened this issue 1 year ago • 2 comments

trafficstars

Hi @jeremylong

why it is still flagging the spring-core-5.3.32.jar when the vulnerable version is 5.3.16 MicrosoftTeams-image

Thank you, Mridula U

Mar 18 '24 10:03 Mridula03g

MicrosoftTeams-image (1)

Mar 19 '24 04:03 Mridula03g

Take a look at the Known Affected Software Configurations and you will see that it says everything up to 6.0.0 is affected. You can contact the NVD if you feel this is wrong.

Mar 19 '24 09:03 jeremylong

DependencyCheck DependencyCheck copied to clipboard

Regarding the tool tagging the spring-core library version as vulnerable even if it's higher than 5.3.16

DependencyCheck
DependencyCheck copied to clipboard